December 5, 2025
700 Credit has confirmed a data breach involving dealer customer data – including names, addresses, and Social Security numbers – that was copied without authorization between May and October 2025.
If your dealership utilizes 700Credit, immediate attention is required. While the vendor has committed to providing required notifications and credit monitoring, dealers must ensure their own liability is covered and that specific state and federal requirements are met.
For a deep dive into the specifics of the 700Credit breach, including vendor risk assessments and opt-out details, please review the full alert from our partners at ComplyAuto.
VADA Legal Guidance: General Data Breach Checklist
Beyond this specific incident, data security remains a top priority for Virginia dealers. The VADA Legal team has prepared the following checklist to guide you through this incident and help you prepare for future data security events.
1. Dealer Data Breach Protocol: Your organization should have a data breach protocol in place, including designating who should be in charge in the event of a data breach.
2. Insurance Review: Dealers should pull and read their insurance policies, specifically focusing on policies covering cyber insurance, cyberattacks, and business interruption.
- Dealers need to understand what is and is not covered under their policies.
- If you have any questions about your policies and coverage, speak to your insurance agent or carrier immediately.
3. Letter to Vendor: If a vendor is breached, Virginia dealers have the right to know if personal information has been accessed. Pursuant to Va. Code § 18.2-186.6(D), and entity that maintains computerized data it does not own must notify the owner (dealer) without unreasonable delay if personal information was accessed and acquired by an unauthorized person.
The notification to the vendor should request:
- Whether the data kept by the vendor was encrypted.
- If encrypted, whether the encryption key was breached.
- Whether the dealer's records were accessed as part of the breach.
- If so, the number of dealer records affected.
Specific Action: Dealers need to explicitly ask whether their customer data was encrypted, accessed, and part of the breach.
4. Vendor Agreement Addendums (Safeguards Rule): As part of your requirements under the FTC Safeguards Rule, dealers need addendums to their vendor agreements stating that the vendor maintains the dealer's customer data in compliance with the Safeguards Rule. Dealers should review all agreements to ensure these addendums are in place for all vendors.
5. Data Security Systems: Dealers should ensure that their systems have security in place and run tests to ensure no malware or virus has impacted their systems. Speak with your IT providers to ensure all safety protocols are active and effective.
6. Customer Notifications under Federal and State Law: When there is a data breach of customer information, you may have notification requirements under Virginia law and with the FTC. You need to seek counsel with your attorney regarding the need for any notifications and what they should look like.
- Federal Law (Safeguards Rule):
- You should have a written security program and plan pursuant to the Safeguards Rule. (NADA has a highly recommended sample program).
- The Safeguards Rule requires dealers to file notice with the FTC in the event of a data breach involving 500 or more customers.
- The FTC has allowed companies involved in recent breaches to file the notice with the FTC on behalf of its dealer customers.
- Virginia Law (Va. Code § 18.2-186.6):
- A business must disclose a breach if encrypted info is accessed in an unencrypted form OR if the encryption key was breached, and it is reasonably believed this will cause identity theft or fraud to Virginia residents.
- Entities subject to the Gramm-Leach-Bliley Act (GLBA) that maintain notification procedures in accordance with GLBA are deemed to be in compliance with Virginia's section. Since dealers are subject to GLBA under the Safeguards Rule, meeting GLBA requirements often satisfies Virginia law, potentially avoiding a separate state-level notice.